How to add a CA root at Istio-Ingressgateway's list of trusted CAs?

shshek · August 26, 2020, 7:11pm

I have a gateway, with TLS termination at the gateway using mode SIMPLE (see below snippet)

spec:
  selector:
    istio: ingressgateway # use Istio's default ingress gateway
  servers:
  - port:
      name: https
      number: 443
      protocol: https
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3
    hosts:
    - "*"
  - port:
      name: http
      number: 80
      protocol: http
    tls:
      httpsRedirect: true
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3
    hosts:
    - "*"

I have a requirement where I need to be able to trust a specific root along with all the others I already am trusting (part of the list of ca-certificates of istio gateway). Keeping in mind, I cannot change the mode here to MUTUAL, is it possible to add the trusted root?

Jurabek · August 27, 2020, 2:39pm

First of all, create secret in istio-system namespace

kubectl create -n istio-system secret generic my-credentials
–from-file=tls.key=my.key
–from-file=tls.crt=cert.crt --from-file=ca.crt=my_ca.crt

my_ca.crt may contain multiple CA Roots

and finally in your gateway just add these lines:

…
tls:
mode: SIMPLE
credentialName: my-credentials

Topic		Replies	Views
Trust custom Root CA on Egress Gateway Security	18	5004	July 24, 2019
Plugging in existing CA Certificates in istio 1.7 Security	3	2739	February 1, 2021
Different CAs for server / client ingress mTLS	0	432	January 4, 2021
Adding 3rd party CA to istio-proxy (for egress traffic) Security	0	326	October 12, 2023
Ingress mTLS with Client Certificate from a Trusted CA	0	477	April 26, 2021

How to add a CA root at Istio-Ingressgateway's list of trusted CAs?

Related topics